incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.jaqu...@mac.com>
Subject Re: JSPWiki "Special Pages"
Date Tue, 27 Nov 2007 15:20:07 GMT
> Not sure what you're getting at. Are you saying one should not add his
> custom JSPs to JSPWiki? By that logic you couldn't use any JSPs at  
> all. And
> if you're linking to them through a wiki link or by simply entering  
> its
> address in the browser location bar shouldn't make any difference in  
> terms
> of security.

Matthias -- re-reading this thread, it is clear that I have  
misinterpreted your intentions.

It is perfectly safe for a developer or admin to add JSPs to JSPWiki,  
or to modify existing JSPs so that they include additional JavaScript  
code. These kinds of activities can only be done by a developer or  
admin who has access the filesystem. It appears that is what you  
intended to do, and it's fine.

It is "mostly" safe for a wiki page to include an existing JSP via a  
"special pages" link. I'm not really that thrilled that the capability  
to do this exists in JSPWiki; I can imagine several obscure scenarios  
where it might be abused. But that, too, isn't really a problem.

However, what I was responding to was the idea of using a wiki page to  
include arbitrary JavaScript or arbitary JSP code that an author  
uploads to the page. This would be incredibly unsafe. But, it's not  
what you meant... so never mind. :)

Sorry -- I get a lot of e-mails every day, and I can't always read  
them as closely as I'd like. As the resident paranoid around here, I'm  
always looking for failure modes.

Andrew

>
>
> All I am doing is adding yet another JSP to JSPWiki which uses  
> JavaScript
> for some UI logic and asynchronous HTTP requests. If adding custom  
> JSPs
> which make use of standard JavaScript opens security holes in  
> JSPWiki, then
> JSPWiki may be fundamentally broken in terms of security.
>
> Best,
> Matthias


Mime
View raw message